Skip to content

Instantly share code, notes, and snippets.

@ChuckFrey

ChuckFrey/RansomwareExtensions.md

Last active February 19, 2026 14:18
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ChuckFrey/7f77df907a53309ca5d30387989ff143 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ChuckFrey/7f77df907a53309ca5d30387989ff143 to your computer and use it in GitHub Desktop.
Download ZIP
Possible file extensions to open with notepad.exe to reduce the risk of ransomware executing
Raw
RansomwareExtensions.md

For modern Windows 10 & 11 systems that do not support the legacy GPO approach, test the following for your environment.

1. An Updated XML (Classic Notepad)

To target the Classic (Win32) Notepad (C:\Windows\System32\notepad.exe) instead of the Microsoft Store version, you must use the Applications\notepad.exe ProgID.

File Name: SecurityAssociations.xml

<?xml version="1.0" encoding="UTF-8"?>
<DefaultAssociations>
  <!-- Scripting and Execution Host Extensions -->
  <Association Identifier=".js" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
  <Association Identifier=".jse" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
  <Association Identifier=".vbs" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
  <Association Identifier=".vbe" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
  <Association Identifier=".wsh" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
  <Association Identifier=".wsc" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
  <Association Identifier=".wsf" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
  <Association Identifier=".sct" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
  <Association Identifier=".hta" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
  
  <!-- Shell and Legacy Shortcuts -->
  <Association Identifier=".shs" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
  <Association Identifier=".shb" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
  
  <!-- Batch and Command Files -->
  <Association Identifier=".cmd" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
  <Association Identifier=".bat" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
  
  <!-- Archives and Packages -->
  <Association Identifier=".cab" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
  <Association Identifier=".appx" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
</DefaultAssociations>

2. Steps for the Classic Notepad Product

On Windows 11, the system will try to push the UWP (Store) version of Notepad by default. To ensure the Classic version is used and respected by your GPO, follow these three steps:

Step A: Disable the "App Execution Alias" (Crucial for Win 11)

Windows 11 uses a "redirector" that points the command notepad.exe to the Store app. To force the classic one:

  1. In your GPO, navigate to User Configuration > Preferences > Windows Settings > Registry.
  2. Create a new Registry Item:
  • Action: Replace
  • Hive: HKEY_CURRENT_USER
  • Key Path: Software\Microsoft\Windows\CurrentVersion\App Paths\notepad.exe
  • Value name: (Default)
  • Value type:REG_SZ
  • Value data: C:\Windows\System32\notepad.exe

Step B: Deploy the XML via GPO

  1. Save the XML referenced above to a network share accessible to all devices (e.g., \\Domain\NETLOGON\Security\SecurityAssociations.xml).
  2. Open your GPO and go to: Computer Configuration > Administrative Templates > Windows Components > File Explorer
  3. Enable: Set a default associations configuration file.
  4. Enter the path to your XML file.

Step C: Disable the Modern Notepad (Optional but Recommended)

If you want to ensure the modern Store app doesn't interfere at all:

  1. In the same GPO, go to: Computer Configuration > Administrative Templates > Windows Components > App Package Deployment

  2. Use Prevent non-admin users from installing packaged Windows apps or specifically block the Notepad Package Family Name: Microsoft.WindowsNotepad_8wekyb3d8bbwe.

Legacy Windows

For legacy Windows environments you can create a GPO to test changing the default behavior of the following extensions to not behave as a script but rather as a benign text file opened in notepad.

js
wsh
vbs
wsc
sct
jse
wsf
shs
shb
hta
vbe
cmd
bat
cab
appx

Other extensions worth thinking of excluding if not needed for normal users.

chm (Windows help files)
iso
ps1

Legacy Group Policy Steps

The steps to do so are as follows in the Group Policy Management Console.

  1. Switch to the GPO editing mode. In the GPO editor, go to the section User Configuration -> Preferences -> Control Panel Settings -> Folder Options.

  2. Create a new parameter New -> Open With.

  3. Fill the fields as follows:

  • Action: Update
  • File Extension: doc Associated Program: %windir%\system32\notepad.exe (or whichever appropriate) Set as default: check the option
  1. The finished product should look similar to GPO.png.

It is important to test and roll this out slowly so as to not impact your production environment.

Side note: If you need to allow certain scripts to execute in your environment I would suggest that they be monitored while making non-RFC1918 connections and/or baselining accordingly.

But wait, there is more BONUS material: Leverage ASR to block some of these extensions in web/mail clients see MS ASR rules for more.

@ChuckFrey
Copy link
Author

ChuckFrey commented Apr 3, 2025

How would you revert back to the original open with if you ran into an issue ?

Remove the appropriate values or the GPO altogether and run gpupdate /force @TDoug68

@TDoug68
Copy link

TDoug68 commented Apr 3, 2025

I tried that and still cannot seem to get .cmd files back to normal and I appear to not be able to associate them to CMD.EXE as well. Event did the Default Apps reset on Windows 11 and that did not work as well.

Have also modified the registry
HKEY_CLASSES_ROOT.cmd (Default) = cmdfile
HKEY_CLASSES_ROOT\cmdfile\shell\open\command
= "%SystemRoot%\System32\cmd.exe" "%1"

@ChuckFrey
Copy link
Author

ChuckFrey commented Apr 4, 2025

What event IDs do you see in event logs when doing this? 1704? How about RSOP? What does that look like?

@TDoug68
Copy link

TDoug68 commented Apr 4, 2025

No events or ID, only thing happening is when I double click the CMD file I get an error "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I have admin rights so that is not it. Also does not matter where the file is on the computer, same error. Another thing it is not launching when right clicking and running as administrator. It is acting like it is not really associated with cmd.exe

@ChuckFrey
Copy link
Author

ChuckFrey commented Apr 16, 2025

You should have event IDs indicating whether the GPO is applied/removed/failing_to_apply/etc. What about RSOP?

What is the assigned file w/ the extension, how to check link?

@jth0
Copy link

jth0 commented Feb 19, 2026

Just happened to look at this two days after your updates re: forcing the non-app store notepad. Can you say more about why you’re recommending this?

@ChuckFrey
Copy link
Author

ChuckFrey commented Feb 19, 2026

Just happened to look at this two days after your updates re: forcing the non-app store notepad. Can you say more about why you’re recommending this?

TLDR: Essentially, for a security control designed to 'defuse' a threat, we want the most boring, stable, and predictable tool available—and that is the classic System32 Notepad IMHO.

  1. Path Stability for GPOs: The classic Notepad has a permanent, static path (C:\Windows\System32\notepad.exe). The Store app resides in versioned folders (under C:\Program Files\WindowsApps) that can change every time the app updates, making it potentially difficult to reliably hard-code in a Group Policy or an AppAssoc.xml file for long-term deployment.
  2. Fail-Safe Reliability: In many enterprise environments, the Microsoft Store is restricted or disabled. If the 'Modern' Notepad fails to launch, is being updated, or is blocked by policy, the file association could break and revert to the system default—which is often the Windows Script Host (the very thing we are trying to block). The classic version is a 'fail-safe' that is always present and functional.
  3. Forensic & Security Hygiene: The modern Store app includes 'convenience' features like Autosave and Session Recovery. If you (or a user) opens a malicious script to inspect it, the Store app may automatically cache that malicious code into a temporary metadata folder on the disk. The classic version is a lightweight, 'clean' viewer that doesn't leave a forensic footprint or cache file contents in the background.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment